Last fall, a security vulnerability affecting Spring Data REST was discovered. We patched the affected modules and published a CVE. We’ve seen some recent news about this that’s led to confusion. Here’s the scoop:
- There was a security vulnerability allowing arbitrary code execution in Spring Data REST up to version 2.6.8 and 3.0.0.
- This vulnerability has been fixed in the following versions:
– Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017), included in Spring Boot 1.5.9 (Oct, 28th 2017).
– Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017), included in Spring Boot 2.0 M6, (Nov. 6th 2017)
- The CVE was originally published at the end of September 2017. We originally thought that we had fixed the issue with releases that had been published a couple of days before. Subsequent feedback showed that this wasn’t the case and the issue was eventually fixed in October / November 2017. Regrettably, the CVE was not updated to reflect this. The team is working on making sure that this lack of update does not happen again.
We saw some stories that got a few details wrong. Let’s clear things up:
- At no point in time “various Spring modules” have been affected. The issue has existed in Spring Data REST only.
- When the CVE states a Spring Boot version affected, it does not mean that every Spring Boot project is affected. Only projects that use the particular Spring Data REST module are. We only state the Spring Boot versions in CVEs to allow users to quickly identify whether or not the version of Spring Boot that they are using contains a vulnerable version of Spring Data.
- Some publications create the impression that all REST APIs built with Spring – including ones manually coded with Spring MVC – are affected. That’s not the case. You’re only affected if you expose HTTP resources that are handled by Spring Data REST.
We generally recommend to upgrade to new bugfix releases of individual Spring modules as soon as possible. The team also takes great care to coordinate releases so that a Spring Boot release bundling the latest bug- and security fixes is published very close to the releases of the ecosystem projects.
For security relevant upgrades, please make sure you monitor our published CVE list to find out about releases shipping security fixes immediately.